Act Now… Before the Next Incident

Rob Black

18 Dec 2025
4 min read

Share this post

I got a flat tire last week. Fortunately, I was right near my house, so I was able to make it home and have AAA get the donut on.

I called my tire guys – which is literally the name of their company: “My Tire Guys.”

They come to your house or place of work with new tires and replace them… economically. I have used them multiple times in the past and they have always been awesome.

Unfortunately, I must have hit some kind of flat tire pre-holiday rush (is there such a thing?) because they said, “We won’t be able to replace your tires for a couple of weeks.”

Hmm. I couldn’t drive around on a donut for that long. So I did what any modern-day consumer would do and ordered a single, new tire off of Amazon.

“But Rob, you are supposed to order a set.”

I know. But I have had this car for more than a decade and am planning on selling it in a couple of months.

(Sidenote: Ten-year-old cars are considered practically new by my parents’ standards, but I intend to break with tradition on this topic.)

A couple of days later, the tire arrived on my front porch and off I went to a local garage to have it put on and balanced properly.

“No mechanic!” they told me in a less than friendly tone.

So I went to another car place.

“Can’t do it today. Come back tomorrow.”

So I went back the next day…

“We can’t put this tire on this car; it has a different tread than the existing ones. With all-wheel drive, you need to replace all four tires.”

So much for my brilliant idea. After lots of wasted time and added expense, I now have four, brand-spanking-new tires on a car I don’t intend to have for very much longer.

“We Will Deal With it When it Happens” is a Bad Cybersecurity Strategy

Tire difficulties, while inconvenient, are rarely disastrous.

On the other hand, waiting for a cybersecurity incident to occur before you identify a solution (e.g., ransomware, wire transfer fraud, bad actors in your email system), can lead to all kinds of serious problems.

And not just because of the incident itself.

Trying to vet and hire a qualified and immediately available cyber-incident remediator on a moment’s notice is not a situation you want to find yourself in. With every hour that passes, the likelihood of further damage increases.

But it can take some time to get things set up. Here, for example, is a typical sales process for hiring an incident remediator:

Select the vendor. Your cyber insurer has an approved panel of vendors. You don’t have to hire one of them, but if you go “off panel,” your insurer may only reimburse you for half the cost (or less). And since the insurer’s goal is to minimize their costs, who knows how capable their vendors are.
Conflict of interest check. The vendor may need to make sure they can work with you, depending on who their other clients are. This can take hours.
Initial sales call. Now you need to do some technical due diligence. Does the vendor have expertise with your specific tech stack?
Contract negotiation and signing. With time of the essence, your options for negotiation are necessarily limited.
Vendor team assignment. Depending on how engaged the vendor’s incident remediators already are with other customers, they will send you their A, B, C, or (uh oh) D team!
Work begins. Finally.

Not exactly instantaneous. Which is why we advocate signing up with an incident remediator BEFORE an incident.

But I understand. Your employees are already loaded to the max – it’s hard to justify working on a contract for something that falls under the heading of “just in case.” Plus, you may not want to part with funds for a situation that, while potentially serious, is unlikely to happen.

There’s got to be a better way.

And there is … it’s called a “Zero Dollar Retainer” – an agreement that provides pre-arranged access to incident response (IR) services without any upfront payment or prepaid hours.

Key Benefits

Fast response times. The contract is already signed.
Cost efficiency. No upfront fees. Pre-set hourly fee.
Clarity. The Service Level Agreement (SLA) on response time is locked in.
Aligned with insurance. Prevalidation that the agreement meets cyber insurance obligations.

Potential drawbacks

If a large-scale cyber incident occurs – like Log4Shell or SolarWinds – you won’t be the only company affected. Those on a paid retainer will have a higher priority.
Which means that… you may still get the B, C, or D team.
Putting this in place still requires the time and attention of your staff before the fact.

Much Better Than Nothing

Okay, so a Zero Dollar Retainer is not perfect.

But for many small and midsize companies that don’t have the size to justify an ongoing paid retainer, it’s WAY better than just closing your eyes and hoping for the best.

At least this way, if an incident happens, you have a contract in place with a fully-vetted vendor that you can turn on instantly.

The point is, waiting for something to go wrong is about the worst time to go vendor shopping!

By the way, let me know if you have any interest in a 2013 Acura RDX with 75,186 miles and four, hardly used, Cooper Endeavor Plus All-Season 235/60R18 tires.

Come to think of it… Hey mom and dad, any interest in buying a “practically new” car?

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

CEO & Founder | Fractional CISO

Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).